Software // Information Management
News
10/17/2007
05:29 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

An End To Exploit-Based Development On The iPhone?

Apple CEO Steve Jobs explains the SDK shipping in February will help third-party partners and protect iPhone users from malicious programs.

With the upcoming introduction of an Apple-sanctioned iPhone software development kit in February, mobile application developers will no longer have to exploit a vulnerability to write iPhone applications.

Until then, determined developers may continue looking to the work of security research H.D. Moore, who has written a recent series of blog posts about cracking the iPhone.

Moore, director of security at BreakingPoint Systems and creator of the Metasploit vulnerability testing tool, has published details about the exploit that third-party developers have been using to put applications on the iPhone against Apple's wishes.

"Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem," Moore said in a blog post last week.

The problem is that the flaw isn't merely useful for iPhone developers who just can't wait for Apple to open the iPhone up; it's potentially useful for hackers.

In a statement Wednesday on the Apple Web site, Apple CEO Steve Jobs made it clear that Apple is concerned about iPhone vulnerabilities.

"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true," said Jobs. "There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target."

The exploit described by Moore takes advantage of a programming flaw in libtiff, the open-source TIFF image-rendering library. It has been tested on several iPhone applications that incorporate libtiff: MobileMail, MobileSafari, and the iTunes Music Store, under firmware versions 1.02 and 1.1.1.

As Secunia explained in a recent security advisory, "The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari Web browser."

People who use their iPhones to read e-mail or surf the Web could thus be targeted by hackers.

The vulnerability also affects Apple's iPod Touch.

Secunia rates the vulnerability as "highly critical," or 4 on a 5-point scale.

"We are working on an advanced system which will offer developers broad access to natively program the iPhone's amazing software platform while at the same time protecting users from malicious programs," said Jobs. "We think a few months of patience now will be rewarded by many years of great third party applications running on safe and reliable iPhones."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.